mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-06-17 11:59:30 +00:00
b2b039b6e7
Some checks are pending
/ release (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-e2e (push) Blocked by required conditions
testing / test-remote-cacher (redis) (push) Blocked by required conditions
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
testing / test-remote-cacher (redict) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
Currently, if you try to add an "external" link to a release in Forgejo, the validation code checks for basic URL soundness and then specifically checks that the URL is not an API URL. In some cases, it may make sense to link to instance API URLs (like when you want to create a release that links to several different repos' packages). Relax this check so it only validates basic URL soundness. Refs: https://codeberg.org/forgejo/forgejo/issues/7598 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. See: https://codeberg.org/forgejo/docs/pulls/1161 ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/7644): <!--number 7644 --><!--line 0 --><!--description YWxsb3cgaW5zdGFuY2UgQVBJIFVSTHMgaW4gcmVsZWFzZSBhc3NldHM=-->allow instance API URLs in release assets<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7644 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: Malte Jürgens <maltejur@noreply.codeberg.org> Co-authored-by: John Moon <john.moon@vts-i.com> Co-committed-by: John Moon <john.moon@vts-i.com>
116 lines
3 KiB
Go
116 lines
3 KiB
Go
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package validation
|
|
|
|
import (
|
|
"net"
|
|
"net/url"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"forgejo.org/modules/setting"
|
|
)
|
|
|
|
var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`)
|
|
|
|
func isLoopbackIP(ip string) bool {
|
|
return net.ParseIP(ip).IsLoopback()
|
|
}
|
|
|
|
// IsValidURL checks if URL is valid
|
|
func IsValidURL(uri string) bool {
|
|
if u, err := url.ParseRequestURI(uri); err != nil ||
|
|
(u.Scheme != "http" && u.Scheme != "https") ||
|
|
!validPort(portOnly(u.Host)) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// IsValidSiteURL checks if URL is valid
|
|
func IsValidSiteURL(uri string) bool {
|
|
u, err := url.ParseRequestURI(uri)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if !validPort(portOnly(u.Host)) {
|
|
return false
|
|
}
|
|
|
|
for _, scheme := range setting.Service.ValidSiteURLSchemes {
|
|
if scheme == u.Scheme {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// IsAPIURL checks if URL is current Gitea instance API URL
|
|
func IsAPIURL(uri string) bool {
|
|
return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api"))
|
|
}
|
|
|
|
// IsValidExternalURL checks if URL is valid external URL
|
|
func IsValidExternalURL(uri string) bool {
|
|
if !IsValidURL(uri) || IsAPIURL(uri) {
|
|
return false
|
|
}
|
|
|
|
u, err := url.ParseRequestURI(uri)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
// Currently check only if not loopback IP is provided to keep compatibility
|
|
if isLoopbackIP(u.Hostname()) || strings.ToLower(u.Hostname()) == "localhost" {
|
|
return false
|
|
}
|
|
|
|
// TODO: Later it should be added to allow local network IP addresses
|
|
// only if allowed by special setting
|
|
|
|
return true
|
|
}
|
|
|
|
// IsValidReleaseAssetURL checks if the URL is valid for external release assets
|
|
func IsValidReleaseAssetURL(uri string) bool {
|
|
return IsValidURL(uri)
|
|
}
|
|
|
|
// IsValidExternalTrackerURLFormat checks if URL matches required syntax for external trackers
|
|
func IsValidExternalTrackerURLFormat(uri string) bool {
|
|
if !IsValidExternalURL(uri) {
|
|
return false
|
|
}
|
|
|
|
// check for typoed variables like /{index/ or /[repo}
|
|
for _, match := range externalTrackerRegex.FindAllStringSubmatch(uri, -1) {
|
|
if (match[1] == "{" || match[2] == "}") && (match[1] != "{" || match[2] != "}") {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
var (
|
|
validUsernamePatternWithDots = regexp.MustCompile(`^[\da-zA-Z][-.\w]*$`)
|
|
validUsernamePatternWithoutDots = regexp.MustCompile(`^[\da-zA-Z][-\w]*$`)
|
|
|
|
// No consecutive or trailing non-alphanumeric chars, catches both cases
|
|
invalidUsernamePattern = regexp.MustCompile(`[-._]{2,}|[-._]$`)
|
|
)
|
|
|
|
// IsValidUsername checks if username is valid
|
|
func IsValidUsername(name string) bool {
|
|
// It is difficult to find a single pattern that is both readable and effective,
|
|
// but it's easier to use positive and negative checks.
|
|
if setting.Service.AllowDotsInUsernames {
|
|
return validUsernamePatternWithDots.MatchString(name) && !invalidUsernamePattern.MatchString(name)
|
|
}
|
|
|
|
return validUsernamePatternWithoutDots.MatchString(name) && !invalidUsernamePattern.MatchString(name)
|
|
}
|